• Send Us A Tip
  • Calling all Tech Writers
  • Advertise
Monday, July 6, 2026
  • Login
TechStory
  • News
  • Crypto
  • Gadgets
  • Memes
  • Gaming
  • Cars
  • AI
  • Startups
  • Markets
  • How to
No Result
View All Result
  • News
  • Crypto
  • Gadgets
  • Memes
  • Gaming
  • Cars
  • AI
  • Startups
  • Markets
  • How to
No Result
View All Result
TechStory
No Result
View All Result
Home Business

DJI Compensates Engineer Who Accidentally “Hacked” 7,000 Vacuums

The "Romo" Project: Reverse-Engineering with AI

by Anochie Esther
March 8, 2026
in Business, News
Reading Time: 4 mins read
0
DJI

Image Credits: Macrumors

TwitterWhatsappLinkedin

What began as a playful weekend project to drive a robot vacuum with a PlayStation 5 controller has ended with a $30,000 payout and a major security reckoning for the world’s largest drone maker. On March 6, 2026, reports confirmed that DJI has officially compensated software engineer Sammy Azdoufal for discovering a catastrophic backend vulnerability in the DJI Romo robot vacuum, a flaw that inadvertently granted him “god mode” over thousands of private homes across 24 countries.

You might also like

Navi Technologies Eyes ₹3,000 Crore IPO by March 2027 in Third Listing Attempt

Adani Defence Breaks Ground In Shivpuri On South Asia’s Largest Private Missile Ecosystem With ₹2,500 Crore Investment

Uber Pauses Europe Expansion Plans as It Chases €12 Billion Delivery Hero Takeover

The incident, which has sent shockwaves through the IoT (Internet of Things) industry, highlights a terrifying reality: in the age of AI-assisted coding, the barrier to finding world-class security exploits has virtually vanished.

Sammy Azdoufal, an AI strategy lead based in Spain, didn’t set out to become a global security researcher. He simply wanted to bypass the standard DJI Home app to steer his new $2,000 DJI Romo manually using a DualSense controller. To do this, he needed to understand the “secret handshake” between the vacuum and DJI’s cloud servers.

Leveraging Claude Code, a high-speed agentic AI coding tool, Azdoufal was able to reverse-engineer the Romo’s communication protocols in record time. By feeding the AI the machine-language traffic from his own device, he successfully extracted his personal authentication token. However, when he attempted to use that token to send commands through a custom-built client, he didn’t just see his own vacuum—he saw the entire fleet.

The “Accidental” Army: 7,000 Vacuums and Counting

The technical failure was a classic case of Broken Object Level Authorization (BOLA). Due to a misconfiguration in DJI’s MQTT-based messaging environment (the protocol used for IoT devices to “talk” to the cloud), the server failed to verify if Azdoufal’s token actually belonged to the specific devices he was querying.

Instead of rejecting unauthorized requests, the server essentially treated Azdoufal as the “master owner” of every active Romo unit. Within minutes, his laptop was flooded with data from 6,700 robots. He could see serial numbers, battery levels, and most disturbingly, the real-time activity of thousands of strangers.

Beyond Dust: Live Cameras, Microphones, and Maps

The breach went far deeper than simple status updates. Because the DJI Romo is marketed as a “high-sensing” flagship, it is equipped with high-definition cameras and microphones for obstacle avoidance and remote monitoring.

Azdoufal discovered he could:

  • Access Live Video: View high-definition feeds from the vacuums’ floor-level cameras.

  • Listen in Real-Time: Activate the on-board microphones to hear conversations within the homes.

  • Floor Plan Extraction: Generate and download 2D and 3D maps of private residences, accurate enough to identify room layouts and furniture placement.

  • Geographic Tracking: Use IP addresses to pinpoint the approximate physical location of the robots.

The Verge Verification: A Real-Time Privacy Nightmare

To prove the severity of the flaw, Azdoufal worked with The Verge to conduct a controlled test. A journalist provided Azdoufal with the 14-digit serial number of a Romo unit being used for a review in another country.

In less than nine minutes, Azdoufal was able to remotely “ping” the journalist’s vacuum. He accurately reported that the robot was currently cleaning the living room, had 80% battery life remaining, and successfully transmitted a map of the journalist’s apartment back to his own screen. This real-time demonstration forced DJI to move beyond its initial dismissal of the bug.

DJI’s Response: From Denial to Payout

The corporate response was initially rocky. DJI first told reporters that the vulnerability had been identified through an “internal review” in January and was already being patched. However, Azdoufal’s live demonstration proved that the flaw remained wide open well into February.

After the story went viral, DJI pivoted. The company issued a formal thank you on social media and, as of this week, has confirmed a $30,000 bounty payment to Azdoufal. While DJI insists that “industry-standard encryption” was always in place, the incident proved that encryption is useless if the authorization logic at the other end is broken.

The Era of “Vulnerability Democratization”

The most significant takeaway from the “Romo Security” saga isn’t just about a broken server; it’s about the tool used to find it. Azdoufal openly admits that without AI coding assistants, reverse-engineering a complex proprietary protocol would have taken weeks of specialized work. With AI, it took a weekend.

This “democratization” of hacking means that manufacturers can no longer rely on “security through obscurity.” As AI makes it easier for hobbyists to poke at the code of their smart devices, companies must adopt “Zero Trust” architectures where every single data packet is verified at the object level.

As Sammy Azdoufal’s wife reportedly placed a piece of tape over their own robot vacuum’s camera, the world is left to wonder if the convenience of a clean floor is worth the risk of a mobile, internet-connected spy in the living room. The $30,000 payout to Azdoufal is a small price for DJI to pay to avoid a PR catastrophe, but for the 7,000 owners who were unknowingly part of an “accidental army,” the sense of privacy may never fully return.

Tags: #7000 vaccums#DJI Romo robot vacuum#hackedcompensationDJI
Tweet56SendShare16
Previous Post

How To Open Parlor Door In Resident Evil Requiem

Next Post

The $54 Million Prediction Market Fallout of Kalshi from Khamenei’s Death

Anochie Esther

Recommended For You

Navi Technologies Eyes ₹3,000 Crore IPO by March 2027 in Third Listing Attempt

by Rounak Majumdar
July 6, 2026
0
Navi Technologies Eyes ₹3,000 Crore IPO by March 2027 in Third Listing Attempt

Sachin Bansal's fintech company Navi Technologies is pushing ahead with plans to file a fresh Draft Red Herring Prospectus (DRHP) with SEBI and target a ₹3,000 crore IPO...

Read more

Adani Defence Breaks Ground In Shivpuri On South Asia’s Largest Private Missile Ecosystem With ₹2,500 Crore Investment

by Rounak Majumdar
July 6, 2026
0
Adani Defence Breaks Ground In Shivpuri On South Asia's Largest Private Missile Ecosystem With ₹2,500 Crore Investment

India's private defence sector crossed a historic threshold on July 5, 2026. Adani Defence and Aerospace, the defence arm of Adani Enterprises Limited, laid the foundation stone for...

Read more

Uber Pauses Europe Expansion Plans as It Chases €12 Billion Delivery Hero Takeover

by Rounak Majumdar
July 5, 2026
0
Uber Pauses Europe Expansion Plans as It Chases €12 Billion Delivery Hero Takeover

Uber has quietly shelved the majority of its headline-grabbing European food delivery expansion, just months after announcing it with considerable fanfare. The Financial Times reported on Sunday that...

Read more
Next Post
Kalshi

The $54 Million Prediction Market Fallout of Kalshi from Khamenei’s Death

Please login to join discussion

Techstory

Tech and Business News from around the world. Follow along for latest in the world of Tech, AI, Crypto, EVs, Business Personalities and more.
reach us at info@techstory.in

Advertise With Us

Reach out at - info@techstory.in

Aviator Game India 2026

BROWSE BY TAG

#Crypto #howto 2024 acquisition AI amazon Apple Artificial Intelligence bitcoin Business China cryptocurrency e-commerce electric vehicles Elon Musk Ethereum facebook funding Gaming Google India Instagram Investment ios iPhone IPO Market Markets Meta Microsoft News OpenAI samsung Social Media SpaceX startup startups tech technology Tesla TikTok trend trending twitter US

© 2025 Techstory.in

No Result
View All Result
  • News
  • Crypto
  • Gadgets
  • Memes
  • Gaming
  • Cars
  • AI
  • Startups
  • Markets
  • How to

© 2025 Techstory.in

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?